trickbot | d016c557952b643a0e7caf5d92cfb876667cb792d7c226d27509b6ac943d6743

General

Target

d016c557952b643a0e7caf5d92cfb876667cb792d7c226d27509b6ac943d6743N.exe
Size

172KB
MD5

8e219fdd09b5a20d378ec62074eee870
SHA1

b1afe8ae694c25f66b6300213deb68f6b4ed20bc
SHA256

d016c557952b643a0e7caf5d92cfb876667cb792d7c226d27509b6ac943d6743
SHA512

16cf3117b75202ac6a6502e9bebcba3f22b2e15fb870c20321579808e4a6e9053e22e55c904fd8ac044e84736eca59f0e1a8a60a6970c9a32635df0a2cd7bd07
SSDEEP

3072:OjkTJNLBgRcuBStYlUIYMYsN5vxMtSp7FmxoaHjqlzpkcFSH00u/DL+E0QG:OjkTRgRSWUIYMrN55Mwp7Fmxizkh00u9

Score

10^/10

trickbot banker discovery trojan

Malware Config

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 3 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

resource	yara_rule
behavioral1/memory/1420-0-0x0000000000400000-0x000000000042D000-memory.dmp	trickbot_loader32
behavioral1/memory/1420-3-0x0000000000400000-0x000000000042D000-memory.dmp	trickbot_loader32
behavioral1/memory/2368-9-0x0000000000400000-0x000000000042D000-memory.dmp	trickbot_loader32

Executes dropped EXE 1 IoCs

pid	Process
2368	d018c779972b843a0e9caf7d92cfb898889cb992d9c228d29709b8ac943d8943P.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d016c557952b643a0e7caf5d92cfb876667cb792d7c226d27509b6ac943d6743N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d018c779972b843a0e9caf7d92cfb898889cb992d9c228d29709b8ac943d8943P.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeTcbPrivilege	2872	svchost.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1420 wrote to memory of 2776	1420	d016c557952b643a0e7caf5d92cfb876667cb792d7c226d27509b6ac943d6743N.exe	30
PID 1420 wrote to memory of 2776	1420	d016c557952b643a0e7caf5d92cfb876667cb792d7c226d27509b6ac943d6743N.exe	30
PID 1420 wrote to memory of 2776	1420	d016c557952b643a0e7caf5d92cfb876667cb792d7c226d27509b6ac943d6743N.exe	30
PID 1420 wrote to memory of 2776	1420	d016c557952b643a0e7caf5d92cfb876667cb792d7c226d27509b6ac943d6743N.exe	30
PID 1420 wrote to memory of 2776	1420	d016c557952b643a0e7caf5d92cfb876667cb792d7c226d27509b6ac943d6743N.exe	30
PID 1420 wrote to memory of 2776	1420	d016c557952b643a0e7caf5d92cfb876667cb792d7c226d27509b6ac943d6743N.exe	30
PID 3004 wrote to memory of 2368	3004	taskeng.exe	32
PID 3004 wrote to memory of 2368	3004	taskeng.exe	32
PID 3004 wrote to memory of 2368	3004	taskeng.exe	32
PID 3004 wrote to memory of 2368	3004	taskeng.exe	32
PID 2368 wrote to memory of 2872	2368	d018c779972b843a0e9caf7d92cfb898889cb992d9c228d29709b8ac943d8943P.exe	33
PID 2368 wrote to memory of 2872	2368	d018c779972b843a0e9caf7d92cfb898889cb992d9c228d29709b8ac943d8943P.exe	33
PID 2368 wrote to memory of 2872	2368	d018c779972b843a0e9caf7d92cfb898889cb992d9c228d29709b8ac943d8943P.exe	33
PID 2368 wrote to memory of 2872	2368	d018c779972b843a0e9caf7d92cfb898889cb992d9c228d29709b8ac943d8943P.exe	33
PID 2368 wrote to memory of 2872	2368	d018c779972b843a0e9caf7d92cfb898889cb992d9c228d29709b8ac943d8943P.exe	33
PID 2368 wrote to memory of 2872	2368	d018c779972b843a0e9caf7d92cfb898889cb992d9c228d29709b8ac943d8943P.exe	33

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\d016c557952b643a0e7caf5d92cfb876667cb792d7c226d27509b6ac943d6743N.exe
"C:\Users\Admin\AppData\Local\Temp\d016c557952b643a0e7caf5d92cfb876667cb792d7c226d27509b6ac943d6743N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1420
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:2776

C:\Windows\system32\taskeng.exe
taskeng.exe {DC7D4F0C-1751-4474-8725-6037AA31CF9C} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Users\Admin\AppData\Roaming\netcloud\d018c779972b843a0e9caf7d92cfb898889cb992d9c228d29709b8ac943d8943P.exe
  C:\Users\Admin\AppData\Roaming\netcloud\d018c779972b843a0e9caf7d92cfb898889cb992d9c228d29709b8ac943d8943P.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2368
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\netcloud\d018c779972b843a0e9caf7d92cfb898889cb992d9c228d29709b8ac943d8943P.exe

Filesize
172KB

MD5
8e219fdd09b5a20d378ec62074eee870

SHA1
b1afe8ae694c25f66b6300213deb68f6b4ed20bc

SHA256
d016c557952b643a0e7caf5d92cfb876667cb792d7c226d27509b6ac943d6743

SHA512
16cf3117b75202ac6a6502e9bebcba3f22b2e15fb870c20321579808e4a6e9053e22e55c904fd8ac044e84736eca59f0e1a8a60a6970c9a32635df0a2cd7bd07

Download Submit
memory/1420-0-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1420-2-0x0000000010000000-0x0000000010005000-memory.dmp

Filesize
20KB

Download
memory/1420-1-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1420-3-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2368-10-0x0000000010001000-0x0000000010005000-memory.dmp

Filesize
16KB

Download
memory/2368-9-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2776-4-0x0000000000060000-0x000000000007E000-memory.dmp

Filesize
120KB

Download
memory/2776-6-0x0000000000060000-0x000000000007E000-memory.dmp

Filesize
120KB

Download
memory/2872-11-0x00000000000E0000-0x00000000000FE000-memory.dmp

Filesize
120KB

Download
memory/2872-12-0x00000000000E0000-0x00000000000FE000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing